From owner-freebsd-net@FreeBSD.ORG Thu Mar 23 20:28:03 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A06D916A401 for ; Thu, 23 Mar 2006 20:28:03 +0000 (UTC) (envelope-from asegu_fbsdnet@borgtech.ca) Received: from borgtech.ca (borgtech.ca [216.187.106.216]) by mx1.FreeBSD.org (Postfix) with ESMTP id 27DC343D53 for ; Thu, 23 Mar 2006 20:28:02 +0000 (GMT) (envelope-from asegu_fbsdnet@borgtech.ca) Received: from localhost (localhost.borgtech.ca [127.0.0.1]) by borgtech.ca (Postfix) with ESMTP id DC98554BC for ; Thu, 23 Mar 2006 20:28:00 +0000 (GMT) Received: from borgtech.ca ([127.0.0.1]) by localhost (borg.internal.borgtech.ca [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 41853-01 for ; Thu, 23 Mar 2006 20:27:49 +0000 (GMT) Received: from [161.53.212.163] (unknown [161.53.212.163]) by borgtech.ca (Postfix) with ESMTP id 92F3554B7 for ; Thu, 23 Mar 2006 20:27:46 +0000 (GMT) Message-ID: <442304AD.1010709@borgtech.ca> Date: Thu, 23 Mar 2006 21:27:25 +0100 From: Andrew Seguin User-Agent: Mozilla Thunderbird 1.0.7 (Windows/20050923) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-net@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: amavisd-new at borgtech.ca Subject: net.link.ether.bridge.config effeciency for more then 2 interfaces? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Mar 2006 20:28:03 -0000 I'm trying to get a vlan based firewall working, but having a problem with ARP & DHCP not working well (dhcp could be maybe not working well because of ARP) The network is setup: IP: xyz.zyx.xzy.0/24 [ISP router -> ISP Switch] -> firewall ->{vlans-tagged}->layer2 switch->other switches (I don't have the authoritzation to put the firewall between the ISP router/switch unfortunatly) I've configured a local layer2 managed switch to have all vlans as tagged on port 1, and then configured two ports per vlan. In the firewall I have it configured as follows: network cards: fxp0 -> to the ISP switch (.14/28) fxp1 -> unused at the moment fxp2 -> receives the vlans vlan3 vlan 3 vlandev fxp2; (IP:.17/28) vlan4 vlan 4 vlandev fxp2; (IP:.33/27) vlan5 vlan 5 vlandev fxp2; (IP:.65/26) vlan7 vlan 7 vlandev fxp2; (IP.129/25) vlan8 vlan 8 vlandev fxp2; (IP:10.1.0.0/16) (nat is arranged by PF to .13 on fxp0) Having only gateway_enable="YES" in rc.conf, the traffic between vlans flows fine (until I put in IPFW restrictions that is), but from vlans to internet it doesn't (ping to router doesn't work). So I decided simply to bridge all the vlans together (if you have a possible solution around this, I'd appreciate it!). And that's where my problem begins. For what could be best described as 'political' reasons, I want at all costs to avoid having the ISP router reconfigured (the ISP is ready to do it, people here aren't) if I configure net.link.ether.bridge.config=fxp0,vlan7 for example, all is fine. Traffic flows normally. If I configure net.link.ether.bridge.config=fxp0,vlan3,vlan7 then I start having major problems with arp requests making it through. DHCP is as well seriously affected, leaving computers in a pretty bad situation. CPU usage in either case ranges from 2-4% (internet's only a SDSL link, so it's no trouble for the firewall) I've put below a summary of the loaded ipfw rules. I sorta think my problem could be related to the bridging of arps, but I'm not unconvinced that the traffic shapping is affecting as well although the firewall rules don't change, only the bridge configuration to go from problematic to OK. I thank you all for your time, Andrew ipfw.rules: ---------- 1 allow ip from ...0/24 to ...0/24 100 count ip from any to any via fxp0 ... 108 count ip from any to any via vlan8 201 - 205 allow tcp/udp ssh,dhcp,snmp and dns 300 - deny netbios traffic 401&402 - pipe 10/11 (bw 300kbps, mask src/dst 0x000000ff) // max speed per computer 410-420 allow some stuff like web/email to go to max speed 490&491 - pipe 30/31 (bw 1000kbps) // max speed for 'bulk' stuff like P2P, FTP... 492&493 - pipe 20/21 (bw 200kbps, mask src/dst 0x000000ff) // max bulk speed per computer 65535 - allow all